Re: Building amd64 kernels on i386
On Thu, Dec 01, 2005 at 11:34:00AM +0100, Thomas Steffen wrote:
> Not having gcc is about as good for security as ROT13 encoding the
> names of all executables. Sure, it will confuse every script that
> tries to install something, but is it worth it?
I agree entirely. I am always much more interested in preventing
security breaches in the first place than in minimizing the damage after
they occour. If the main security is breached I want to know about it
as soon as possible. If it succeeds and then nothing happens because
everything else is weird inside, well that doesn't tell me there is a
problem, and someone determined enough could manage to build and
transfer binaries anyhow in that case. I don't believe much in the
usefullness of IDS since too many false alarms make you ignore them, and
the real goal is preventing intrusions, not detecting them after they
happen (which is usually harder).
> If you still have doubts, you can install gcc for compiling the kernel
> and then remove it afterwards. Cross-compiling is experimental at
> best, if it works at all. I would certainly not try the result of the
> cross-compilation on a production server :-).
Having a development machine of the same architecture as your production
systems is also a good idea in general. Cross compiling shouldn't be
necesary at all unless you happen to be targeting some embedded system
which doens't have a compatible platform for development.
Len Sorensen
Reply to: